Total Meltdown - Microsoft's Meltdown patch failure allows any program to R/W kernel memory

[ScratchCat]

https://blog.frizk.net/2018/03/total-meltdown.html

 

Microsoft made something termed "The worst which could happen" into something even worse. Microsoft's Windows 7 patch for Meltdown had the unintended effect of letting any application access kernel memory - both reading and writing.

 

Quote

Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse ... It allowed any process to read the complete memory contents at gigabytes per second, oh - it was possible to write to arbitrary memory as well.

No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!

 

Microsoft accidentally set the User/Supervisor flag to User, allowing any user mode application to access the kernel memory which was what the patch should have prevented.

Quote

In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.

The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM. For more in-depth information about paging please have a look at Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1 and Part 2.

 

Additionally  the location of the flag was not randomised like in Windows 10, allowing simpler access to the flag.

Quote

All one has to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.

The last '7' in the PML4e 0x0000000062100867 (from above example) indicates that bits 0, 1, 2 are set, which means it's Present, Writable and User-mode accessible as per the description in the Intel Manual.

 

 

Microsoft has patched the issue in the mean time - only Windows 7 x64 systems were affected. Given only one platform was affected by an incorrect flag I would assume that this was produced by an incorrect compiler or a similar issue rather than a human. However one has to consider what sort of automatic security testing/fuzzing software Microsoft used if they did not check for the issue they were fixing.

Edit: Windows Server 2008 R2 also affected

[GDRRiley]

wow everyone is having issues patching.

REMINDER test patches before deployed don't use the public as testers.

[Guest]

Luckily this has already been patched but damn is that scary.

[ScratchCat]

1 hour ago, GDRRiley said:

wow everyone is having issues patching.

REMINDER test patches before deployed don't use the public as testers.

Microsoft: Join our insider program and find our bugs for us!

[bcredeur97]

Anyone have the KB # for the patch that fixes this issue?

 

edit: Nevermind. It was patched in 2018-03. KB4088878 and up should have it!

[Arika]

3 hours ago, ScratchCat said:

. Given only one platform was affected by an incorrect flag I would assume that this was produced by an incorrect compiler or a similar issue rather than a human. 

I'm waiting for the reply to say they did this intentionally to make people upgrade to w10 

[Cookybiscuit]

I'm sure this was a total accident and definitely not a sad attempt to get people to use Windows 10.

[Arika]

Just now, Cookybiscuit said:

I'm sure this was a total accident and definitely not a sad attempt to get people to use Windows 10.

Shush you

[leadeater]

5 minutes ago, Sierra Fox said:

I'm waiting for the reply to say they did this intentionally to make people upgrade to w10 

 

1 minute ago, Cookybiscuit said:

I'm sure this was a total accident and definitely not a sad attempt to get people to use Windows 10.

 

Well you called it lol

[leadeater]

3 hours ago, ScratchCat said:

Microsoft has patched the issue in the mean time - only Windows 7 x64 systems were affected. Given only one platform was affected by an incorrect flag I would assume that this was produced by an incorrect compiler or a similar issue rather than a human. However one has to consider what sort of automatic security testing/fuzzing software Microsoft used if they did not check for the issue they were fixing.

Windows Server 2008 R2 is also effected

[mr moose]

11 minutes ago, Sierra Fox said:

I'm waiting for the reply to say they did this intentionally to make people upgrade to w10 

Just wait, they come.  along with the 15 paragraph lectures on spying and government underhandedness.  Fifteen links to Russian newspapers as evidence etc etc etc.

 

 

[SpaceGhostC2C]

- Sir, we just noticed, in some occasions, the wrong keys are able to unlock our main door. Wee need to fix this!

- I see. Any suggestions?

-...

-...

-...

- Remove the door?

[paddy-stone]

10 minutes ago, SpaceGhostC2C said:

- Sir, we just noticed, in some occasions, the wrong keys are able to unlock our main door. Wee need to fix this!

- I see. Any suggestions?

-...

-...

-...

- Remove the door?

In this case the analogy would have the suggestion, "let's give everyone the keys to every door, problem solved".

[8uhbbhu8]

Ahahahahahaha!!

[Mira Yurizaki]

4 hours ago, GDRRiley said:

wow everyone is having issues patching.

REMINDER test patches before deployed don't use the public as testers.

It prevented Meltdown, that was all that testing that was required per se.

[ScratchCat]

19 hours ago, M.Yurizaki said:

It prevented Meltdown, that was all that testing that was required per se.

Issue: Windows vulnerable to Meltdown.

Fix: Implement patch to shutdown any computer using Intel CPUs as soon as CPU type detected.

Outcome: Windows cannot be attacked using Meltdown.

 

Given Microsoft's QA for larger releases this seems reasonable - >7 million Windows Insiders and they still have large scale issues on many releases

[bcredeur97]

4 minutes ago, ScratchCat said:

Issue: Windows vulnerable to Meltdown.

Fix: Implement patch to shutdown any computer using Intel CPUs as soon as CPU type detected.

Outcome: Windows cannot be attacked using Meltdown.

 

Given Microsoft's QA for larger releases this seems reasonable - >7 million Windows Insiders and they still have large scale issues on many releases

and it's going to be even funnier now when it happens due to MS shoving AUTOMATIC UPDATES down our throats.

[Mira Yurizaki]

9 minutes ago, ScratchCat said:

Issue: Windows vulnerable to Meltdown.

Fix: Implement patch to shutdown any computer using Intel CPUs as soon as CPU type detected.

Outcome: Windows cannot be attacked using Meltdown.

 

Given Microsoft's QA for larger releases this seems reasonable - >7 million Windows Insiders and they still have large scale issues on many releases

Technically that fixes the issue.  But aside that, if someone doesn't test a corner case because it didn't cross their mind, then it doesn't get tested, it's that simple. And if everyone is tunnel visioned into thinking about what problem to solve, things like this slip through. Unless you want everyone to spend the rest of their lives finding corner cases, you're not going to release anything at all.

 

Hindsight is 20/20 after all.

[mr moose]

2 hours ago, ScratchCat said:

Given Microsoft's QA for larger releases this seems reasonable - >7 million Windows Insiders and they still have large scale issues on many releases

It took industry leading professionals more than 15 years to find Meltdown.   Insiders (who mostly just use the OS and report obvious bugs) are neither going to be efficient at uncovering bugs that have no obvious signs of existing let alone is it the point of the program to uncover such exploits.    We may as well blame the test drivers at VW for not picking up the emissions control fraud. 

[Guest The Viking]

2 hours ago, bcredeur97 said:

due to MS shoving AUTOMATIC UPDATES down our throats.

so annoying. They now shove MS Office updates up my *** constantly, changing stuff. NO, Microc*cks, I paid for Office 2016, not crappy Office 365 (365 referring to the amount of issues it has?)

 

*desperation*

[mr moose]

13 minutes ago, The Viking said:

so annoying. They now shove MS Office updates up my *** constantly, changing stuff. NO, Microc*cks, I paid for Office 2016, not crappy Office 365 (365 referring to the amount of issues it has?)

 

*desperation*

I'd like to know what's going on there, because I have the same office installed on a windows 7 machine and a windows 10 machine. I get constant requests on 7 to upgrade/update  but nothing on the 10 machine. 

[heybengbeng]

anyone know if this Total Meltdown need local access or physical access to exploit?

 

still didnt install latest windows update yet since it have problem to NIC and causing another problem

[jagdtigger]

24 minutes ago, mr moose said:

I'd like to know what's going on there, because I have the same office installed on a windows 7 machine and a windows 10 machine. I get constant requests on 7 to upgrade/update  but nothing on the 10 machine. 

Because 10 does it without asking? Anyway, im totally dropped office now so IDK... (the HR loves me for this one with their macro infested crap)

[Mira Yurizaki]

26 minutes ago, heybengbeng said:

anyone know if this Total Meltdown need local access or physical access to exploit?

 

still didnt install latest windows update yet since it have problem to NIC and causing another problem

Total Meltdown is a bug with the OS itself. If you are affected, anyone with access of any kind can exploit it.

[mr moose]

1 minute ago, jagdtigger said:

Because 10 does it without asking? Anyway, im totally dropped office now so IDK... (the HR loves me for this one with their macro infested crap)

No updates, nothing.  It just leaves it alone.  It's like I turned off automatic updates or something (but I haven't).